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[(J081] Tn is invention reiatas to methods and systems 
for converting a first key value of a first commur^ications 
system to a second key value of a second communfca- 
tions system. 

[6002] F!G. 1 depicts a sohematto diagram of first and 
second wireiess communications systerrss whicii provide 
wireiess communications service to wireieas units (e.g., 
wireless units 12a-c) tiiat are situated wittiin tiie geo- 
graphic regior>s 1 4ancS 1 6, respectively. .A Mobile Switcii- 
ing Center (e.g. fetSCs 20 and 24) is responsibie for, 
among ottief things, establishing and fnaintaining calls 
between tiie wireless units, calls between a wireiess unit 
and a wireline unit (e.g., wsreiine unit25), and/or connec- 
tions beUvesn a wtrelsss unit and a paci<et data netvivoric 
(POiNi). suci"! as the internet. As such, the MSG intercon- 
nects tiie wireless units within its geograpnic region with 
a public switched telephone networi< (PSTN) 28 and/or 
a packet data nehsfor!? (PDtsi) 29. The geographic area 
serv'Iceci by the MSG is d iv ified into spatially distinct areas 
called ■'cells," As depicted in FiG. i, each ceil is sche- 
maticaiiy represented by one hexagon in a honeycomb 
paitern; in practice, however, each eel! has an irregular 
shape that depends on the topography of the terrain sisr- 
rounding the ceiS. 

[0083] Typicaiiy. each eel! contains abase station (e.g. 
base stations 22a-e and 26a-6}, which comprises tiis ra- 
dios and antennas that the base station uses to commu- 
nicate With She wireiess units in that ceil. The base sta- 
tions also comprise the transmission equipment that the 
base station uses to communicate with the MSG in the 
geographic area. For asampie, hf.SC 20 is connected to 
the base stations 22a-e in the geographic area 14, and 
an 'vise 24 is conrseoted to the base stations 26a-e sn 
the geographic region 16. Within a geographic region, 
the IvISC switches caiis betweers base stations in real 
time as the wireless ufiit moves between celts, referred 
toascaii handoS. Depending on the embodiment, a base 
station coniroller (BSC) can De a separate base station 
controiier (BSC) (nr>t shown) connecterf to severa! base 
stations or located at each base station which adminis- 
ters the radio resources for the base stations and relays 
information to the MSG. 

IQW] The MSCs 20 and 2:4 use a signaling nstworit 
32, such as a signaling .network conformirsg to the stand- 
ard identified as Tl,A'EiA-41 -D entitied "Ceiiular Radio- 
teiscommunications intsrsystem Ops-rations." Decem- 
ber 1997 {"IS-41 "), which enables tiie exchange of Infor- 
mation about frse wireiess units which are roaming vvittiin 
the respective geographic areas14and 16. For example, 
a wireiess unit 1 ga is roaming when the wireless unit 1 2a 
ieaves the geographic area 14 of the MSG 20 to which 
it was originally assigned (e.g. home SvlSC). To ensure 
that a roaming wireless unit can receive a caii. the roam- 
ing Wireless unit f 3a registers with the f>fiSC 24 in which 
it presently resides (e.g., the visitor liViSC) by notifying 
the visitor MSG 24 of its presence. Once a roaming wire- 



iess unit 12a is idsntifjed by a visitor fviSC 24, the visitor 
'■■JISC 24 sends a registration request to the home MSG 
20 over the sigrialirsg networst 32. ,and the harne USC 20 
updates a database 34, referred to as Jhs horrse location, 
s register (HLR), wish the identification of the visitor MSC 
24. thereby providing the iocatiors of the foamirsg wireless 
unit 12a to the home MSC 20. 

[0S05] After a roaming wireless unit is authenticated, 
the horns MSC 20 provides to the visitor MSC 24 a cijs- 

10 tomer profile which irjdicates the features avaiiabie to the 
roaming wireiess unit, such as call waiting, caller id, call 
forwarding, three-way caiiing, and intafnaiiorsai tiiaSing 
access. Upon fGceiving the customer profile, the visitor 
iViSG 24 updates a database 36, referred to as the visitor 

'S location register (VLR), to provide the same features as 
the home MSC 20. The HLR, VLR and/or the authenti- 
cation center (AC) can be co-located at the ^flSG or re- 
motely accessed- 

If a wireiess unit is roaming between wireiess 

20 communications systems using different wireless com- 
munications standai-ds, ps-oviding the wireless unit with 
the same features and services in tiis different wireless 
corTWiunicaiions systsma is cojnpiex if even feasible, 
T!"ier6 are currently dlffereiit wireless communication 
standai'ds utilized in the U.S., Eijrope. and Japan. The 
U.S. currently utilizes two major wireiess cornmonica- 
Sons systems with ditiering standards. The first system 
is a time division multiple access system (TOIVlA) and is 
governed by the standard known as IS- ■ 3S, the second 

so system isacodedivisioni'nuitiple access (CDiviA) system 
governed by the standard i<nown as IS-9S. Both commu- 
nlcation systems use the standard knovwi as iS-41 for 
intsrsystem messaging, which defines the authentication 
procedure. 

[W?] In TDiVIA, users share a frequency band, each 
user's speech is stored, compressed and transmitted as 
a quicK packet, using conti-oiled time slots to distinguish 
them, iience the phrase "time division", ,At the receiver, 
the packet is decompressed, in the lS-1 36 protocol, three 
users share a given ca,rrier frequency. In contrast, CDSViA 
uses a unique code to "spread" the signal across the 
wide area of the spectrum {hence the alternative name 
- spread spectrum), and the receiver uses the same code 
to recover tlie signal from the noise. A very robust and 
secure channel can cie eslabiishsd, even for an extreme- 
ly low-power signal, Fuilher, by using different codes, a 
number of different channels can simultaneously share 
the same carrier signal without interfering with each oth- 
er. Both CDMA and TDMA systems are defined for a 
54' Second Generation (2Q) and Third Generation (3G) 
phases with differing requirements for user information 
privacy or oontidentlalifv, 

[0008] Europe utilizes the Giobai System for twioblles 
(GSIvJ) network as defined by the European Teiecommu- 
ss ftications Standard institute (ETSi), GSivt is a TDMA 
standard, with 8 users per carrier frequency. The speech 
is taken in 20 msec windows, which are sampled, proc- 
essed, and compressed, GSM is transmitted on a 900 
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MHs carrier. TMere is an alternative system operating at 
1 .8 GH2 (DCS 1S00), providing additionai capacity, and 
is often viewed as more of a personal communscation 
systesT! (PCS) thstn a ceiiuiar system. In a similar way. 
She U.S. has asso impienientsci DCS-1 900, another GSM 
system operating on the diSferent carrier of 1 .9 GHs. Per- 
sona! Digital Ceiiiiiar (PDC) is ttie Japanese standard, 
previOLtsiy l<riown as JDC (Japanese Digstai Csliuiarj. 
PDG is a TDMA standard simiiar to the U.S. standard 
known as iS-54 protocoi. 

[0S6S] The QSM network utiiizes a rerriovabi© user 
idsntifscation moduie {UM) which is a credit card size 
cafd whict! is owned by a subscriber, wno slides the DM 
into any GSM handset to transform it into "their" phone. 
St wiii ring when their imiqiie phone number is dialed, calls 
trsade will be billed to their account: ail options and serv- 
ices connect: voice mai! can be connected and so on. 
PeopSe with different UiMs can share om "physical" 
handset, turning it irsto severa! "virtijal" handsets, one per 
UM, Similar to the U.S. systems, the GSM network also 
permits ''roaming", by which different network operators 
agree to recognize {and accept} subscribers from other 
Wireless camnujnications systems or networks, as wire- 
less litiits {or UIMs) move. So, British subscriPefs can 
drive ihrough France or Germany and use their GSM 
wireless ufiit to make and receive caiis (on their sarrse 
UK number), with as rnucti ease as an American busi- 
nessman can use a wireless unit in Boston, Miami, or 
Seattle, wittiin any one of the U.S. wireless communica- 
tions system. The GBU system is defined as a Second 
Generation (20 > system. 

[001 0] The ftiird generation {3G) enhancement of the 
GSM security schemie is defined in the Universal Mobile 
Tetecomrnunicstions Service (Ufi.'iTS! set of standard.?, 
and spectfioally for the seoLirity in the standard identified 
as 3GPP TS-33,t02 "Security Architecture" specifica- 
tions. This security scheme with siight variations will be 
used as a tjasis for the vvorldwide common security 
scheme for all 3G communications systems, including 
UMTS, TDMA. and COMA. 

[0011] The 2G GSM authentication scheme is iiiijstrat- 
ed sn FiG. 2. This authentication scheme inciodes a horne 
iGcation register (HLR) 40, a visiting location register 
(VLB) 50, and a wireiess unit or mobile terrrsinai (MT) 60, 
which inciudes a U\M S2. When the mobiie terminal 60 
places a call, a request is sent to the home location reg- 
ister 40. which generates an authentication vector AV, 
also caSled "tfipiet" (RAfJO, SRES, K^.) from a root key 
K,, T>)e triplet includes a random number RAND, a signed 
response SRES, and a session i^ey \<^. Ttie triplet is pro- 
vided to the visiting iocation register 60, which passes 
the random number RAND to the mobile terrrsina! 60, TTie 
U!M 62 receives ttse random rsumtjer RAND, and utiSizing 
5h8 root key Kj, the random numtjer RANO, and an algo- 
rithm .A3, calculates a signed response SRES. The um 
62 aSsci utilizes the roof key Kj and the random number 
RANO. and an algorithm AS to caiculate the session key 
Kc. The SRES, ca!cula-ed by the UM 62. is returned to 



the visiting iocation register 50. whicti compares this val- 
ue from the SRES received from the home iocation reg- 
ister 40, in order to authenticate the subscriber using the 
mobiie terminal 30. 

■J [OOt 2] in the GSiVi "chalier^ge/response" autfientica- 
tion system, the visiting location register .50 never re- 
ceives tfi8 root Key Kj being tieid by the Ui,sVi 32 and the 
home location register 40. The VLR 50 aiso does not 
need to !<now the authentication aigohthms used by rhe 

10 HLR 40 and um 62, Aiso. in the GSiVi authentication 
scheme, the trlpiet must be ser^t for every phone caii by 
the home iocation register 40. RANO is 128 bits. SRES 
is 32 bits, ajid K;, is 64 bits, which is .224 bits of data for 
each request, which is a significant data load. Ttie main 

IS focus of this description is the 64 bits Song session 
ciphering itey which is used for user information confi- 
dentiality. When the mobile terminaS roams into another 
serving system whiie in the call, the session key Kq is 
forwarded from the old VLR to the new target servir^g 

so system. 

[081 3] FIG. 3 shows the UMTS security scheme which 
is an enhancement to the 2Q GSM scheme. Simiiar to 
the GSM scheme, wfien the mobile terminal 90 places a 
caii, a request is sent to the tiome location register 70, 

ss which sends an auttienttcation vector-AV to the Visited 
Location Register (VLR) 80 which contains five elements 
instead of the three elements of a tnpiet. and therefore 
is caiied 'qijintupief. This vector contains the 128 bit 
RAND, the 64 bits SRES, the AUTS^ value which carries 

•ts the auStientication signature of the home network, and 
two session secijrity i<.eys: the 128 bit ciphering key CK 
and ttie 1 28 bit integrity key IK. These iatter hvo keys, 
CK and !K, are the focus of this description. 
[0014] The vector is provided to the visiting iocation 

3S register 80, which passes ihe random number RANO and 
the AtJTN to the mobile terminal 90, The UiM 92 receives 
the random number RAND, and utilising the root key K;. 
the random number R,^ND, and an defined algorithmic 
functions, validates the AUTN and caicuiates a signed 

■til response SRES. The um 92 also utilizes the root key Kj 
and the rando.m riumber i^A^^O and defined aigorithrrsic 
furictiorss to calcuiale the session keys CK and IK. Ttie 
SRES, calculated by the USM 92, is returned fo ti-ie visiting 
location register 80. which compares this vaiue from Xhe 

*5 SRES received from the home kscation register 70 in or- 
der to authenticate the subscriber using the mobiie ter- 
minal 90, A focus OS" th is description are the ■ 28 bits long 
session ciphering key CK and 128 bits iong session in- 
tsgrity kQy IK which are used for user information confi- 

so deritiaiity and session integrity protection . Once the sut3- 
scriber is successfuity authsnticatea, the VLR 80 acti- 
vates tfie CKand IK received in this authentication vector- 
it tihe mobile terminal roams into another sen'ing .system 
whiie on tJis caii , the CK and i K are sent to the new target 

S5 serving system. 

[0C51 5J Tlie 2Q iS-41 authentication scheme, used in 
U.S. TOMA and CDMA systems, is illustrated in FiG. 4. 
This authentication scheme involves a home locatior) 
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register (HLR) i 00, a visiting tooaiio!-! register (VLR) 1 1 0, 
and a mobiSetaiTOirial iUJ] 120, which cart inciude a UiU 
1 22. The root ksy, known as the A_key, is stored an!y in 
th e HLR 1 00 and the Ul Svi 1 22. There is a secondari' key, 
known as Shared Secret OaSa SSD, which is sen! to the 
VLR 110 during roaming. SSD is generatsd frofii the 
A„key using a cryptographic algorSfhm. The procedure 
for gensraSing the SSO is described eisewhere and is 
kDown to Shose skiited io ihe art. Whan the sV-iT 1 20 roams 
to a visitsf^g nefwork, the VLR 1 10 sends m autherstica- 
tion request to the HLR 100, which responds by sending 
that subscriber's SSO. Once the VLR 1 10 has the SSD, 
it can authenticate the MT 1 20 independently of the HLR 
100, or with the assistarjce of the HLR 1 00 as is known 
to those skilied in the an. The VLR 1 1 0 sends a random 
number RAND to the UiM 122 via the f'.^T 120, and the 
UiM 122 caicuiates the authentication response (.AU- 
THR) lising RASsSD and the stored vaiue of SSD irj im 
122. AUTHR is raturned to the VLR 110, which checks 
It against the vaiue of .AUTHR that it has independently 
cateuiated in the sar«e manner, it the two AUTHR vaiues 
match, the MT 1 20 is decfared vaiid . This process repeats 
when the wireiess unit attempts to access ^e system, 
for instance, to initiate a caii. or to answer a page when 
the caii is received. 

[Q01SJ ffi these cases, the session security keys are 
also generated To generate session security keys, the 
internal state of the computation algorithm is presen/ed 
after the authentication calculation. Several session se- 
cijrity keys are then calculated by the UM 122 and the 
VLR 1 1 0 using 8-18 current vaiue of SSD, Specifically, the 
520 bits Voice Privacy Mask (VPM) is computed, which 
is used for concealing the TDMA speech data throughout 
the caii. This VPM is derived at the beginning of the cali 
by the iJf M and VLR. and. if the mobiie roains into another 
serving system during the caii, the VPM is sent to the 
new sen/ifsg system by the VLR. Wnen the caii is con- 
cluded, the VPM is erased by both the U!iV3 and the serv- 
ing VLR. Liitewise, the 64 bits Signaling Message En- 
cryption Key (SME.KEY) (s computed, which is used for 
encrypting the TDMA signaling information throughoi.it 
the caii. This SiV^EKev is derived at the beginning of the 
cali Dy the UiM and VLR, and, if the mobile roams into 
another senring system durir^g the caii, the SMEKEY is 
seof to the new serving system by the VLR, When the 
cali is conciuded, the SMEKEY is erased by both the USM 
and the serving VLR. 

[0B17J The 2G COMA scheme uses a similar method 
of i^ey distribution, except, instead of the 520 bits wy\, 
it is using the 42 Least Significant Bris (LSB) ot the VPM 
as a seecs into the Private Long Code Mask (PLCSvl). This 
PLCSV? is used as an additionai scrambiing mask for the 
informatk-in before its spreading. The4S-bit PLCfW is con- 
sistent thfoughout the call and is sent to the new serving 
system by the VLR it" the mobile roams into another serv- 
ing system. The Sit^EKEV is used In the same way as in 
She TDMA based soheme. 

imi S] The 5S-41 3G security scheme uses the LMTS 



security scheme, which is based on the delivery of the 
128-D!ts ciphering key CK and 128-bits integrity key IK 
to the visited .system VLR, whiie the same !<eys are corrv 
puted by the UiM. 

5 [001®] Key conversions as a wireless unit roams be- 
tween cornrTsunications systems should be periormsd in 
a way ti-sat even if iowsr security of 2G schemes and 
algorithms is compromised and partial keys are recov- 
ered by the i ntruder, the 3G ssssion keys would stiit rnain- 

?o tain the same level of security. Such corwersiorss: wiS! al- 
Sow a subscriber to "roarrs globaiiy" rnain-airsing the se- 
curity of communications data and integrity of communi- 
cations session. 

{S08S| MENEZES: 'i-tandtjoo!^ of applied cryptogra- 
ms phy' 1 997, CRC PRESS LLC. US ,KP0021 91 21 3 teaches 
that a key-encrypting key K may bs modified in a peruse 
basis by a counter isS. ir~ particular, the ksy-sncrypting K 
may bs modified by the counter N by performing K (B H. 
fOOSI 1 According to one aspect of this invention there 
20 is provided a method as claimed in claim 1 . 

[0022] According to another aspect of this invention 
there is provided a kay conversion system as ciaimsd in 
claim 9. 

fS023] The present Invention is a key conversion sys- 

^5 tem for determintsticaiiy and reversibiy converting a first 
key value of a f i.'st communications system into a second 
key value o! a second cornmunication system. For e.x- 
ampis, the key conversion system generates a first in- 
termediate vaiue from at least s portion of the firs! key 

30 value using a first random function. At least a portion of 
the first intermediate value is provided to a second ran- 
dom function to produce a second value. An exciusive-or 
is psriormed on at least a portion of the first key vaiue 
and at ieast a portion of the second value to generate a 

.35 second intermediate value. At ieast a portion of the sec- 
ond intermediate vai ue is provided to a tii ird random func- 
tion to produce a third vaiue. By performing an exciu- 
sive-or on at ieast a portion of the third vaiue and at ieast 
a portion of the first intermediate value, the key conver- 
sion system produces at least a first portion ot the second 
key value, and at least a second portion of the second 
key value is produced as the second intermediate vaiue. 
The key conversion system is deterministic in that, given 
a first key value, a wireiess unit and the wirsiess com- 

*5 munications system will detsrrn ine the same second kay 
value Without requiring an exchange ot information, 
[0024] The key conversion system is reversibis or 
t)l-direction3! in that, if the wireiess unit is handed off back 
to the first communications system, the second key vaiue 

50 of the second communications system is converted back 
to the first key vaiue of the first commisnications system. 
For example, the key conversion systerri provides the at 
least second poilion of the second key value to the third 
random function to produce the third value. The first in- 

55 termediate value is generated by perfomning an eseiu- 
slve-or on the first portion of the second key vaiue and 
the third value. Using the second random function, the 
key conversion system generates the .second value from 
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the firsJ inien-fsedSate value and produces at least a por- 
tion of the tirst key by performing an exciusive-or on ihe 
second vaiua and tiie second portion of the second key 
value. The key conversion system provides smproved se- 
curity because even it aifrsost alS of the second key vaiue 
is known, ttie first key vaiue cannot easiSy be recovered. 
Simsiariy. if aimoss aii of the first key value is known, the 
second key value is not easily recovefed. 

S3i?J£f . PJSCRSPTiOKi OP-- THE DS5AW!?iOS 



[Was| other aspects and advantages of ihe present 
invention may become apparent upon reading the fofiow- 
ing detailed descriptlors ar>d upon reference to the draw- 
i.ngs in which; 

FSG. 1 shows a general diagram of wireless commu- 
nications systems for w/hich a key con version system 
embodying the present invention car^ be used: 
FEG. 2 is a b!oci<. diagrarri iliustrating ihe basic com- 
ponents of the prior art 2G giobai system fo r rnobiies 
(GSfv!) network and security message.s transmitted 
in the 2G GSM neiworio 

FfQ. 3 is 8 blocit diagram iiiostrating the basic com- 
ponents of the prior art 3G UMTS netv*.'ork and mes- 
sages transmitted in the 3G UMTS network; 
FIG. 4 is a block diagram ilSttsfrating ihe basic com- 
ponents of the prior art 2G tS-41 network and mes- 
sages transmitted in the prior art 2G IS-41 network; 
FiG. 6 is a folocl-!. diagram iiiustraiing how a user 
roams from a SG TDiviA network into a generic 3G 
network; 

FiG, 6 is a block diagram illustrating how a user 
roams from a generic 3Q network into a 2Q JDMA 
network; 

FIG. 7 is a blocfa diagram illustrating how a user 
roams from a 2G COMA rsetwork into a generic 3Q 
network; 

FIG. 8 is a block diagram ilkjstrating how a user 
roams from a generic 36 networf< into a 2G COMA 
network; 

FIG. 9 is a btock diagram iliustrafing how a user 
roams from a 2G GSM network into a generic 3Q 
network; 

FIG, 10 is a block diagram illustrating how a user 
roams from a generic 3G netvwork into a 2Q GSivt 
network; 

FIG. 1 1 is a flow diagram of an embodiment of the 
forward conversion for the key conversion system; 
and 

FiG. 1 2 is a flow diagram of an emtiodiment of the 
reverse conversion for the key conversion system. 



An iiiustrative embodiment of tfis key conver- 
sion system is described beiow which provides an im- 
proved key conversion for a wireiess unit which roams 



between first and second wireless communications sys- 
sems. TT-ie key conversion system deterministicaify and 
revsfsibly converts an m bit key value of a fsrst commu- 
nications system into an n-bft key vaiue of a second com- 

s rnsjriication system. In certain embodiments, the key con- 
version system sjss three random functions f, g and h 
where random functions f md g map an m bst input string 
into an n-m bft string resembSing a random number, and 
the random function h maps an n-m bit string into an m 

'£> bit string resembling a random number. A random func- 
tion maps inputs to outputs such that the outputs are 
unpredictable and random iooi<,!ng given the input, in the 
embodiments described beiow, the random functions are 
random o racles where every time an input Is given it maps 
to ihe same output, .Additionaiiy, in the embodiments de- 
scribed below, the random functions are pubficly known. 
For e.>sample, the random functions are known by the 
wir-eless communications system (s) involved in the inter- 
sysfem handotf and the wireiess unit. 

so [0027] The key conversion system is deterministic in 
that, given an m-bit key value, a. wireiess unit and the 
wireless communications system wiSi determine the 
same n-bit key vaiue without requiring an exchange of 
information. The key conversion system is reversible or 

2S bi-cJtrectional in that, if the wireless unit is handed off oack 
to the first communications system, the n bit key of the 
second ccmmunications system irS converted back to the 
m-bif key of the first communications system, "fhe key 
conversion system provides improved security because 

30 even if atmost all of the n bit key value is known, the m 
bit key vaiue cannot easiiy be recovered, Siniiiariy. if al- 
most all of the m bit key value is known, the n bit key 
valLis is not easily recovered. 

(0928] Depending on the embodimentj the key conver- 
sion system can provide secure, deterministic and bi-di- 
rectionai key conversion when a wireiess unit roams be- 
tween two wireiess communications system, such as be- 
tween an oider communications system and a newer 
commuoioations system. For exa.mpie where the sairie 
reference numerais indicate iike components, the iS-4l 
3G security .scheme of FIG. ,5 converts, st the VLR 80 
and af the wireless unit 120 (or 122), the S20-bits VPM 
in combination with the 64-bits SfvtEKEY received from 
the VLR 110 to the 128-bit CK and/or f 28-bit fK when 
xm wi.'-eiess unit roams into the 3G system from the 2G 
TDM.A system. Convsrseiy, as shown in F!G. 6, the IS- 
41 3G seci^rity scheme converts, at the V!„R 80 and the 
wireless unit 90 (or 32), the 1 2S-btt CK and/'or the 1 2:8-bft 
(K to the 520-bifs yPU in combination with the 64-bits 

so SMEKEY when the wireless unit roams into the 2Q TDMA 
system from the 3G system. The VLR 80 provides the 

and the Sf/iEKEY to the VLR 110. 
fOOSS] As Shown in FiG. 7. IS-41 3G security scheme 
converts, at the VLR 80 and at ihe wlrete-ss unit 120 (or 

ss 122), the 42-i3its PLCM in combination with the 64-bits 
SfwtEKEY received from the VLR 110 to the 128-bit CK 
and/or the IgS-bit when the wireless unit roams into 
the 3G sy,stem from the 2G CDMA system. Convsrseiy, 
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as shown in FSQ. 8, ihe fS-41 3G security scheme con- 
verts, at the VLB 80 and at She wireSess unit 90 (or 92), 
the 128- bit CK arid 1 28-bit iK to the 42-bits PLCU in 
ccfmbinatiOf! witSi the 64-bits SMEKEY when She mobile 
roams into the 26 CDMA systsm from the 3Q system. 
The VLR 80 provides the PLCM and the SMEKEY to the 
VLR 110. 

[g030] As shown in FIG. 9. tlia UMTS 3G sectirity 
scheme converts, at the V'LF^ 80 and at the wireiass unit 
60 (or 62), the 64-bit Kc feceived from 5S-.e VLR 50 to the 
128-bit CK andf'or the taa-bit IK when the wiretess unit 
roams into the 3G WJS system from the 2G QSM sys- 
tsm, Converseiy, as shown in FiG, 1 0, the UMTS 3G 
security .system converts, aitiie VLR 80 and at tiie wira- 
!e&s unit gocor 92), the igS-bit CK and-'or the 128-bit iK 
to she 64-bit Kq when the wireless unit roams imo the 2G 
GSM system from the 3G UMTS system. The VLR 80 
provides the to the VLR 50, 
fOOSt ] Accordinglv, in certain embodiments, a wireiess 
Linit that supports enhanced subscriber autheritication 
(:ESA) ar^d enharsced subscriber privacy (ESP) in a first 
communiGations system, such as a newer 3G communi- 
cations system, rr^ay irjipiemeni: m^uitiple privacy modes 
to enabis the wireiess ur^it to provide privacy lising older 
algorithms in a second communications system, sucb as 
an older .?G TDMA communications system. Such a wire- 
iess ijnit can provide ott-isr fcms of privacy after inter- 
system handoff to an MSG for an older second commu- 
nications system that does not support ESP. When hand- 
off to the oider second ccmmiinications system is re- 
quired, the key conversion system can convert the l<ey 
values for the newer first communications system to the 
privacy keys needed for the older privacy algorithms sup- 
ported by the older second cornmiunications system. The 
keys for the .second communications system can be .sent 
to the target iVSSC of the second communications systsm 
from the MSG of the first communications system. Since 
the key conversion system is deterministic, the wireless 
unit will also have the keys for the second communica- 
tions system by performing the same conversion as the 
first communication system using the key conversion 
system of the present invention. 
[00321 Tfie f<ey conversion system maps a key (s) from 
a first system into a l<ey(s) of a second systsm and back 
again. For example, when performing an intersystem 
handoft between a 3G communications system and a 2G 
TDM A. system, the key conversion systsm can map a 
cipfser key CK into a VPFvSAS}<.'SMEKEY (VS) pair, in this 
embodiment, the key conversion function possesses the 
following properties: 1) A 128 bit CK is mapped into a 
584 bit VS:; 2) The function is reversibie and maps back 
a 584 bit VS into a 128 bit CK; and 3) The function is 
secure in the sense that partial Smowledge of the 584 bit 
key wil! not allow the adversary to recover the CK. nor 
wiii partial Scnowiedge of 1 28 bit i<ey CK allow the adver- 
sary to recover the .584 bit VS, In ce:rtaln instances, for 
ssampis when tfse call originates in a first corrfm unication 
system having a larger key value than the target second 



coiTimunicatiofjs systsm, the cor5versian system maps 
jj-iS; key value of the first communication system to a key 
vaiue of a second camrnunicattons system. However, if 
the wireiess unit resurns to the first comnwnioations sys- 

s tsm, the key ooriversion system maps the second key 
vaiue io a subsequer^t .key vaiue for ths firist communi- 
catiorts system which is rsot necessarily the same as the 
original key valoe. Subsequent handoffs back to the first 
communicatiofjs system from the .second comwunica- 

10 fions system produce a key vaiue which is the same as 
the subsequent key vaiue. 

[0633] For example, when perfofrrsing an in'.ersysteim 
handoff for a call originating witf-i a 2G TDiViA system to 
a 3G system, the key conversiofs system can map MP- 

?5 S«ASK,'Bfv1EKEY (VS) pair into a cipher key CK. in this 
embodiment, the key conversion function maps the 584 
bit VS into ihs 128 bit CK. if the wireiess unit is handed 
back to the 2G TDMA system, the conversion system 
maps back the 12S bit CK into the 564 bit VS, but the 

so new 584 bit VS may not be the same as the origina! 584 
bit VS.. Subsequent t^andoffs to the 2G TDMA system 
from the 3G system wiii maintain the new 584 iriit VS. 
Although this should not effect the security or operation 
of the wireless unit, the 1 23 bit CK is maintained the same 

•^5 ai! along sn this embodiment. 

[0834] in this embodiment, tfie key conversion system 
includes conversion functions avaitsbie at the iVISC in 
She newer system and m the wireless unit viJhich vvii! con- 
vert key values, for a first comiTiunications system, such 

so as ESP keys, into key values of a second communica- 
tions sysvem, such as keys used for older privacy aigo- 
rithms. in this example, the conversion function should 
convert the 1 28 bit CK key in the new first communication 
system to VPMASK/'SiViEKEY (VS) keys for the older 

3s second communication system, VPiviASK is composed 
of 260 bits mask for each direction and Sf\(1EKE¥ is 64 
bits iong. for a total of 584 bits to be used by the older 
communication system, in case of an intersystem hand- 
off from the old communication system to the new eom- 
municatlon system, it may be useful for the conversion 
function to be reversibie. The oid communication system 
d:oes not know about the new com miinication svstem and 
wit! transfer aii 584 bits to the new communication sys- 
tem. Tlie new communication system upon receiving the 

-is 584 bit key will realize that it needs to recover the 128 
bit GK. and hence wiii compute the CK from the 584 b'lX 
key, 

The VS keys created at the wireless unit and 
the ftiiSC shouid be the same. "Riis means the caicuiaSion 

so of the VS keys must t}« based soiely on CK and any other 
quantities known by both the fi^SC and the wireiess unit. 
Otherwise, any new quantities (e.g. randoi'r^ number) 
wouid have to be exchanged between the wireless unit 
and ttie MSG prior to the conversiors, Ths key conversion 

is systsm does not require ths exchange of information be- 
tween the wireless m\i arsd the new USC and determin- 
tsticaiiy maps a CK to VS keys and VS keys to a GK key. 
Additionally, weaknesses in the old communi- 
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catiorss system shouid not mate the new communica- 
tions system weak. One can achieve this by making the 
ksy corwersian tunction cryptographicaffy one way, so 
that even if the eoHrs k&y of th& oid communication sys- 
serrs, suet) as the VS key in this exampie, fe revealed, the 
adversary cannot recover the key of the new communi- 
cation system, such as the CK key ir; this exarDpfe. How- 
ever, this wiii make the system non-reversibie and, as 
previoiisiy noted, the key co.^version system should be 
reversible. Neverttseiess, the key conversiori system cars 
be reversibie and still provide aimost aii of the security 
of a r>ani -r6V8!'Sfb!e function , The security of the key con- 
version system in i;his example prevents an adversary 
from recovering any part of the GK key even if almost al! 
of the VS key is rsvealeO except a small part. The adver- 
sary can guess Use smaii part, but he should not be able 
to do any better. This aspect is important iaecause parts 
of VPMASK may be somewhat easy to recover, and the 
entire VPMASK may be easier to recover than the SME- 
KEY. Yet if some part of the oid system is hard to recover 
ttian the adversary wiil not know anythirfg about CK. A 
similar security can apply to CK so that a partial knowi- 
edge of CK shouid not tei! the adversary arsything about 

vs" 

|;00373 in ceffain ernbodimeots, the conversion func- 
tion has two modes, the forward corsversion and the re- 
verse corsversion. in the exarnpie of roaming fforn the 3G 
communications system to the 2G TDMA communica- 
tions system, ttse forward conversion takes the 12S bi! 
randomly created CK key and expands it to 584 bit VS 
key. The reverse conversion function takes the 584 bit 
VS keys and maps it to a 128 bit CK key. In this emixid- 
sment, the fons/ard com/srsion function is composed of 3 
random fu?>ctlons f. g and h which map a given input info 
a random output. In thisembocsinient, these are not secret 
functions but public random tunoiions known to every- 
body, including the advereary. Tf'sese pubik; random tonc- 
iions are referred to ss random oracles in She literature. 
These randoni oracles can be injpismented using hash 
functions and block ciphers as described beiow. in this 
exarnple, the three random functions are f. g, h where f 
and g map a 128 bit input Into a 456 bit random value, 
and h maps a 458 bit tnput into a 128 bit random value. 
[0038] flG. 11 shows a flow diagrarn of an embodi- 
ment of the forward conversion of the key conversion 
system for converting an sri-bit key value KEY1 ol afirst 
communications system into an n-bit key value KEY2 of 
a second comrnunlcations system. The rn bit KEY1 is 
provided to a random funcsion f (biock 200) which maps 
an rn-bit string info an n-m bit random number or first 
intermediate value ,R. in the example of roaming from the 
3G communications system to the 30 TDMA communi- 
cations system, the conversion system coriverts a 128 
bit key CK into a 584 bit key (VPMASK. SMEKEY). Tfie 
128 bit key CK is provided to the random function f (200) 
wfi icfi maps She 1 28 bit CK into a 456 bit f ando.m n umbsr 
Of first intermediate value R, The intermediate value R 
is provided to a randorri function h (block 210) which 



maps an n-m bit string into an m bit random number. The 
m-bit outpiit of the function h (210) is subject to an ex- 
clusive-or (.XOR 220) with the m bit KEY1 to produce an 
m-bit second i.ntermediate value T. In the example of 
s foarning from the 3<3 communications system to the 2G 
TDfViAcomfnunscasions system, the 456 bst intennediate 
vaiue R is provided to ftie function h (21 0). The function 
h (210) maps the 456 bit value R to a 128 bit random 
number which is XORed with the 128 bit CK to produce 
«J a 128 bit second intermediate value T, 

[OiJSS] in the embodiment of FIG. 1 1 , the m-bit intsr- 
mediafe value T is provided to a random functior? g (biock 
230), The random function g (biock 230) maps an m bit 
string to an n-m bit random number which is subject to 
>s an exclcsive-Of (XOR 240) with the n-m bit intermediate 
vaiue R to produce an n-m bit key vaiue V which can be 
used as a .Hey, i<eys or portion(s) of key(s). In this em- 
bodiment, the vaiue V is a portion of the value K,EY2 
which can be used as a key, keys or portion(s) of key(s), 
■«> !n this embodiment, the n fait key KEY2 includes the n-m 
bit vaiue V along with the m bit second intermediate vaiue 
T. in the example of roaming from the 3G communica- 
tions system to the gO TDMA communications system, 
the random function g (230) maps the 1 28 bit intermedi- 
ns ate vaiue T into a 456 bit random number yi.'hich is subject 
to the exclusive-of (XOR 240) with the 456 bit Interme- 
diate vaiue T to produce the 456 bit key vaiue V. The 456 
bit vaiue V and the 128 bit intermediate value T form the 
584 bit key value KEY2 which in this example can be 
30 divided into the VPMASK and the SMEKEY for 2G TOMA 
systems. 

[004D] The fow/ard conversion of the GK of the 3G 
system to the VP!\;IASK and SMEKEY of the 2G TOMA 
systesTi can be written according to the following steps, 

35 

1 . R = f{CK) /* create a 456 bit value from f 28 bit CK 
by applying f '/ 

2 , T = h(P,) XOR CK create a i 28 bit vaiue using h */ 

3. V =g(T) XOR R /' create a 456 bit value using g */ 

4, Output T,V /" QutpiJt the 584 bit vaiue 7 

[0041] FIG, 12 shovvs a flow diagram of an embodi- 
ment of the reverse conversion of the key oorwersion 
sy.stem for converting the rj-bit key vaiue KEYS of the 

45 second corrsmunications system back into the m-bit key 
vaiue KEY1 of the first communications system. In this 
emiX'diment. the n bit key value KEYS is divided into an 
n-m bit first portion or vaiue V and an m-bit second portion 
or value T. The m-bit value T is provided to the random 

so function g {block 250) which maps an m-bit string snto an 
n-m bit random number. The n-m bit random number Is 
subjected to an exdiisive-or (XOR 260) with the n-m bit 
key vaiue V to produce the n-m bit first intermediate value 
R, in the example where the vt^ireiess unit roams back to 

S5 the 2G TOM.A system from the 3G sy.stem, the conversion 
system converts the 584 bit key (VPfvJASK, SMEKEY) 
into a 1.28 bit key CK. The 128 bit key value portion T Is 
provided to She random function g (250) which maps tfse 
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128 bit T into a 456 bit rancioni number. The 456 bit ran- 
dom nytnber exciuslve-ORed (XOR 260) with the 456 bit 
key vaiue Vto produce trie 456 bit first intermediaSe value 
R. 

10042] in fhe embodiment of FiG. 1 2, the n-m bit first 
intermediate vaiue R is provided to a randorrj function h 
(Wot* 270). Ti-is raridom function h (bteci< 270) maps an 
n-m bit string to an m bit rar^dom number which is subject 
to an astclijsive-or (XOR 280) wish the frs bit i<ey vaiue T 
to produce an rn bit i<ey vaiue KEY1 whicf) can be used 
as a key, keys or portson(s) of k8y{s). in tiie examate 
wfisra ths wireisss unit roams back !o the 2G TD^/1A sys- 
tem ftom tfje 3Q syssern, the random function h (270) 
maps tfie 456 bit intersnediate value R into a 1 28 bit ran- 
dom numt>ef which is subject to an exciusive-or (XOR 
280) with the 128 m Key value T to produce the 1 28 bit 
key CK. 

[0043] The reverse conversion of tiie VPMASK and 
SMEKEY of the 2G TDMA system to the CK of the 3G 
systsiTs can bo written according to the foiiowing steps. 

1 . Set T,V to 584 bit input T is 128 bit part, V is 
456 bit pari '/ 

2. R = g(T) XOR V /"* create 456 bit vakje R using T, 
V 7' 

3. CK = h{R) XOR T 

{0M4] The random functions f, g and h can De impie- 
merited using hash functions and/or block ciphers. To 
impiement the random functions f, g, and h. which can 
be referred to as random oracfes.. cyptograpfiic hastt 
functions, such as ttie f uncttoi^s known as known as Sf-i A- 
1 , sV105, RlPE-iViD, can be used to instantiate the random 
functions t, g, h. A hash function can bs Syplcally charac- 
terized as a function which maps inputs of one tength to 
outputs of another, and given an output, ft is not feasible 
to determine the input that wiii n-sap to the given output. 
Moreover, it is not feasibie to find two inputs vi/hictt wiii 
map to the sameoutpul. En using a SHA-1 hash function, 
each cast to the SHA-1 hash function has a 1 60 bit (nitiai 
vector {tV) and takes a 512 bit input or payload which is 
mapped into a 160 bit output. The IV is set to the iV 
defined in tlie standard for S'HA-I hash function. Ths 
payioad wiSI contain various input arguments: SHA{Type, 
Count, Snput, Pad) where Type is a byte vaiue which de- 
lines the various tunotions f. g. tt. Fur^ction f and g wiii 
ca^i SNA multiple times, and Count is a byte value which 
differentiates the muttipfe calls, hiput is the input argu- 
ment to the functions f, g, or h. Pad is zeroes to fiiS the 
remaining bit positions in the 51 2 bit SHA payioad. Below 
is ars example procedure for implementing ths random 
furict!0,''s t, g and h using a hasti function routine referred 
to as SHA, 

SHA{typ6.count,input,pad) 
!(CK): SHA{1, 1,CK, pad) 
SHA{1,2, CK, pad) 
SHA(1 . 3. CK. pad) mod 2'M 36 



h(R): SHA(2. t, R, pad) mod 2^126 
g{T): SHA(3, 1.T, pad) 
SHA(3, 2. T, pad) 
SHA(3. 3. T, pad) mcrd 2-^136 
5 Block ciphers, iike .A.ES, can be used to create func- 
tions f, g, and h, 

f(CK)-. Eck(1); Eck(2); EckO): Eck(4) ^o'i 
h{R):. E^oiRt XOR 5) XOR Eko(R2 .XOR 6) XOR E^^ 
(R3 XOR 7) XOR 
ny Eko{R4XOR8) 

g{Tl: Et(9); Et-{10); Et(11); ET(^a) mod2'^72; 

where in f(GK), CK is used as the key m the block cipher 
and 512 bit stream is produced by encrypting 1...4 in 

15 counter mode The la-st encryption is trs^ncated fro.m 1 28 
bit to ?2 bit to get ths needed 456 bits. Sn b(R), a public 
key KO is used to encn/pt the parts of 456 bit R and the 
resufting ciphertexts are exciusive-ored together. Rl , R2, 
and R3 are 1 28 bit values and R4 is the remaining 72 bit 

so value of R, padded with seroes to complete 1 28 bits, 
[004S] Thus, ths keyconversion system provldesbi-di- 
rsctional, deterministic and secure conversion of a key 
(sf or portion(s) thereof bsf^.veen first and second com- 
munications systems. The key conversion system is se- 
cure in the forward direction in that given most of the 
output KEy2 (for esampSe. T,'v'), an adversary cannot 
recover KEYl (for example, CK). in tfie eKampIs with the 
2G TD,MA and 3G systems, if ail of T arrd most V except 
say 54 bits are known, then parts q- R can be recovered, 

30 but not ail of R by caicuiating R = g(T) XOR V. An attempt 
can be made to recover .some of CK by performing CK 
- h(R) XOR T. However, since all of R is not known, even 
a bit of information about h(R) cannot be recovered, as- 
suming h is a random funciiori. !-f ence no infofmaf ion can 

35 be recovered about CK. Similarly, it at! of V and part of 
T are knowrs, except say 64 bits of T, then no information 
about CK can be recovered. Since we do not know all of 
T, the intermediate vaiue R cannot be calcuiated using 
g(T) XOR V. Thus v\.'ifhout the intermediate vaiue R, no 

"0 progress can be made in recovehng any inforrtiation 
about CK. 

[0046] Similarly, the key conversion system is secure 
in the reverse direction in that given rrsost of the output 
KEYl (for example, CK), an adversary cannot recover 

4S KEY2 (for example, T, V). in ihe SMample with the 2Q. 
TOMA and 3G systems, if a part of CK is known, no in- 
fomnation about T.V can be recovered. Since wa do not 
f<,now ai! of CK, the intermediate value R cannot cal- 
cuiated using f{CK). Thus without itia intermediate vaiue 

so R, no progress cars be made in recovering any informa- 
tion about T.V. 

[0047] in additiors to the embodiment(s) described 
above, the key conversion system can be used which 
omit and/er add input parameters and/or randorr? funo- 
ss Stons or other oparationsand,/or use variations or portions 
of the described system, For example, the key conver- 
sion system has been described as converting tsetween 
n bit key of a first communication system and an m bit 
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Key of a second comfnunfeations systetn using random 
oracles f, g and h where the random oracies f and g map 
an m b\i string to a n-m bit random number and H-^e ran- 
dom oracie h maps a n-m M string to an m bit raridom 
number. However, different random functions can s 
used as weil as different or additionas functions which 
map X bit strings to y bit random nambers and/or map y 
bit strings to x bit random numbers wtiere x or y can be 
equai to n-m or m. Additionaiiv, tfie m bit key vaiue for 
ihe iirst comrnunications system can be a ii;ey, keys or w 
portionis! thereof, and the n bit key vaiue for the second 
communications system can be a key. keys or sortionCs) 
tiiereof. For exa.mpSe, tiie e.Kafnpie with the 2Q TDMA 
and 3G systems, the conversion is tietwsen the 1 28 bit 
CK of fi^e 3G systerr; and thse 584 bit key vaiue tor ttie 'S 
SM EKEY and VPM ASK of the 2G TDM A system , but the 
conversion couid be between a 2S6 bit S<ey vaius of CK 
and i,K of the 3G system and the 584 bit i<ey value for the 
SIvlEKSY and VPSvlASK of the 2Q TDM A system. 
[0048J jn the example described above, a for«/ard con- eo 
version is from the m bit key value of ihs first communi- 
cations system to the n bit key vaiue of tiie second com- 
muntcaiions system where the first communications sys- 
tem corresponds to itie new system ajid the second com- 
munications corresponds to the oid system and where 
m<n. However, depersding on tiie embodiment, the first 
communications system can be oider, and the second 
commiinications system is newer. Atter.nativeiy. the for- 
ward conversion can be the conversion of the smaller 
size ikey vaiue of one commiinications system to the larg- 
er bit Size key value of another communications system, 
and the reverse conversion is the oonversfon of the iarger 
bit size key value to the smaller sim key vaiue. Depend- 
ing on the embodiment, the conversion of different, larg- 
er, smaller and.'or the same size(s) of key vaiuB(s) be- 5.5 
twesn the different co.mmu.'iications systems are possi- 
ble, 

[0Q49j Furtfiermore. the key conversion system can 
be used to handle the infersystem bandoffs described in 
the FiGs 5-1 0 to convert a Key, keys or portiQn(s) thereof 
from one communications system to the key, i<eys or por- 
tion(s) thereof of another communications system. It 
siiould be understood that different notations, references 
and characterizations of the various values, inputs and 
architecture blocks can be used. For example, the tunc- -ts 
tionality described for the key conversion system can be 
performed in a home authentication center, home ioca- 
tion register (i-^ LR) , a home MSG, a visiting authenticatioii 
center, a visitor location register (VLB) and/or in a vssiSing 
,*yfSC . JvSoreover, the key conversion system and portions so 
thereof can be performed in a vvsreisss unit, a base sta- 
tion. bSBS station contfoller, MSC. VLR, HLR or other 
sub-system of the first and/or second communications 
system , it should be understood that the -system and por- 
tions thereof and of the described architecture can be ss 
implemented in or integrated with processing circuitry m 
the unit or at different iocations of aie communications 
system, or in application specific integrated circuits, soft- 



ware-driven processing circuitry, programmable logic de- 
vices, firmware, hardware or other arrangements of dis- 
crete co.mponsnts as wosjid be understood by one of or- 
dinary skill in she art with the benefit of this disolosure. 
What has been described is merety iSiustrative of the ap- 
plication of the principles of the present invention. Those 
skilisd in !hs art wili f eadiSy recognize that these and var- 
ious other modftications, afrangemsnls and meshods can 
D6 made to the pre.sen! invention without strictly foliowing 
the exempiajy applications illustrated and described 
herein and without departing from ttie scope of the 
present invenlion. 



1. A method of converting a first key vaiue (key 1) for 
a first comrnunfcations system to a second key vaiue 
(key 2) of a second communications system, said 
method CHARACTERIZED BY; 

generating a firs! interrriediaie vaiue (R) from at 
least a portion oi said first key value (key 1 ) using 
a first random I unction (f); 
providing at ieast a porrion of said first Interme- 
diate vaiue (R) to a second random function (h) 
to produce a second value; 
performing an exoiusive-or (220) on at ieast a 
portion of said first key value (key 1 ) and af least 
a poilionof saidsecoiid vaius to generate asec- 
ond intermediate vaiue (T); 
providing at least a portion of said seoood inter- 
mediate vaiue (T) to a third random tunction (g) 
to produce a third value; and 
producing at least a first portion of said second 
key value (key 2) by performing an ejcclusive-or 
(240) on at least a portion of said third value and 
at ieast a portion of said first intermedials vaiue 
(R). 

2. The method of claim 1 CHARACTERtZED BY: 

producing at ieast a portion of said second in- 
termediate vaiue (T) as at ieast a second portion 
of said second key vaiue (key 2), 

a Tfie method of claim 1 CHARACT£??tZSDf?^THAT 
said generating comprises the step of: 

providing said first key value (key 1) of m bits to 
a first random function (?) to produce said first 
intermediate vaiue (R) of n-m bits. 

4. Ths method of cia;m 3 CHARACTgf^tZED it^S THAT 
said first steps of providing and perform ing compnse: 

providing said n-i'n bit first intermediate value 
(R) to a second random function (h) to produce 
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an m bit sscorid value; and 
performing an exclusive-or (220) on said m bit 
Wst key vaSue (key 1) and said rn bit second 
value to gsnerate said second inSerrTisdiate val- 
ue (T) with m bits, 

S, The methoci of claim 4 CHARACTERSZED iU THAT 
said second step of providing and^ said step of pro- 
ducing comprise:. 

providing said m bif second intermediate vaiua 
(T) to a tiisrd random ftsnction (g) to produce a 
n-ffl bit third vaius: and 

performing ars exclusive or (240) on said n-m bit 
f.hsrd value and said n-m bit first intermediate val- 
ue (R) to generate an n-m bif tirst portion (V) of 
said second key value (key 2), 

S. The method of claim S CHABACTSRSSED SY; 

providing said m bit second intermediate value 
(T) as an m bit second portion of said second 
key value (i^ey 2) having n bits. 

7. The method of claim 2 CHARACTEKJZED BY the 
steps of: 

providing said second portion (T) of said second 
key value (key 2) to saici thsrd random function 
(g) to prodiice said third value; and 
generating said first infermediate value (B) by 
subjecfing a first portion (V) of said second key 
value (key 2) to an exclusive-or (260) with said 
third value. 

8. Tlis method of claisn 7 further CHARACTERIZED 
BY: 

using said second random function (h) to gen- 
erate said second value from said firgf intsrme- 
diaie vaiue (R); and 

praducing at least a portiors of said first i<8y by 
sutifecting said second vaiue to an exclusive-or 
(280) with said second portion (T) of said second 
key vaiue (key 2) , 

9. A key conversion system for converting a first key 
vaiue (key 1) for a first comrrjunications system to a 
second key vaiue (key 2) of a secor^d communica- 
tions system said system CHAf^ACTSRS,ED 8Y: 

processing clrciiitry adapted to generate a first 
intermediate vafue (R) from at least a portion of 
said first key vaisJO (key 1) using a first random 
function (?) to provide at least a portion of said 
first intermediate vaiue (R) to a second random 
function (h) to produce a second value, to per- 
form an exc!usive-or (220) on at least a postion 



of safd Tirst key value fkey 1 ) a.nd at least a oor- 
sion of said second vaiue to generate a second 
intefrri80=iate vaiue (T). to orovide at least a por- 
tion Q? saio second intermediate value (T) to a 

s tnird ranaom fursction tg) to produce a iiitrd value 

ans to Dfoduce as seast a fifss portion of said 
second key value (key 2) dv subjecfing at ieas! 
a portion o! said tnsra vaiua so an exciusive-or 
!,240) with at least a portion or saia first interme- 

'0 diafe value (R). 

saw orocessi nq circuitrv !S configured to produce at 
least a portion of said secono intermediate vaiue (T) 
fs as at least a second portion of said second kev vaiue 
(key 2). 

so 

1 , Procede de conversion d'une premiere vaieur ds cle 
(cle 1 ) d'un preniser systfeirie de communications en 
une deuxieme vaieur de cle (cle 2) d'un deuxifeme 
systems de communications, ledit proc6de 6tant 
2S C.iSLRACTSRfSE ?>A?i : 

la generaiiion d'une premiere vafeur intermadsai- 
re (R) a partir d'au moins une partie de iadite 
premiere vaieur de cie (cle 1) au i-rroyen d'une 

30 pi-eiTiiers fonction aieatoire (f) ; 

la iourniture d'au mosns une partie de ladiie pre- 
miere vaisur intermediaire (R) a une dsuxisme 
fonction aieatoire (h) afin de produire une 
deuxieme vaieur ; 

3s re.xecut}on d'un oij exdustf (220) sur au moins 

une partie de ladite premiere vaieur de cle (cle 
1 ) et au moins une pariie de ladite deuxieme 
valet.ir afin de generer une deuxieme vaieur in- 
termediaire (T) ; 

■*o ia fourniture d'au moins une pailie de ladits 

deuxieme vaieur intermediat re (T) a. une troisie- 
me fonctiorf aieatoire (g) afin de produire une 
troisieme vaieyr ; et 

ia production d'au moins une premiere partie de 
*5 sadite deuxieme vaieur de cle (cie 2) en execu- 

tant un ou eKCiusif (240) sur au moins u ne partie 
ds ladite troisieme vaieur et au moins une partie 
de iadits premiers vaieur intermediaire (Fi). 

so 2. Procede salon ia revandicatiort 1 , 
PAS : 

la production d'au moins une partie de iadite 
deuxieme vaieur intermediaire (T) en tant qu'au 
55 moins une deuKieme partie de iadite deusleme 

vaieur de cle (ci6 2). 

3. Precede seion ta .'■evendication 1 , CARACTEBSSE 
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EN CE QUE iadite gineratiofi comprend T^tape de : 

fourniture de Saciite premiere vaSeur de cie (cie 

1 ) de m bits a une premiere fonction aieatoife 
(f) afin de produire iadite premiere vaieur irster- 
madiaire (R) de n-m bits. 

4. Procede selon la revsndication 3. CABACT£BilSE 
EN CE QUE lesdites premieres etapes de fourniture 
ei d'executiofi cofnprennent : 

!a fourniture ds Sadite premiere vaSetir fnteriTiS- 
diaire de n-m siSs (R) a une deuxieme fonction 
aieatoire (h) aSn de prodiisre une deuxisme va- 
ieijr ds rr^ ijits ; st 

I'execijtion d'un ou exciusif (220) sur Iadite pre- 
miere vaieur de cis de rri biSs (cle 1) eJ tadiSe 
deoxiefTie vaieur de m bits afin de g^nerer Sadiie 
cieuxiefns vaieur intermediaiVe (T) avec m bits. 

5. Procede seion ia rsvendication 4, CARACTE??5SS 
B.K CE QUE Iadite deuxieme etape de fourniture et 
iadite etape de production comprerinent : 

ia fourniture de Iadite deyxierrie vaieur interme- 
diaire de m bits (T) a uoe troisiemelanotiori aiea- 
toire (g) afin ae produire ur^e troisieme vaieur de 
n -m bits ; eS: 

i'escecution d'un ou exciusif (840) sur Iadite troi- 
siertie vaieur de n-m bits et Iadite premiere va- 
ieur snterrned iaire de n -rri bits ( R ) af irs de gener er 
une premiere pariie de n-m bits (V) de iadite 
deuxieme valsur de cie (cle £■). 

6. Procede seSon ia ravendication 5, CARACTERSSS 
PAR: 

la faurniliire de iadite dsuxieme vaieur interme- 
dsaire de m bits (T) er; tarit que deuxieme partie 
de m bits de iadite deoxieme vaieur de cie (cie 

2) ayant n bits. 

7. Procede seion ia revsndication 2, CAS^ACTSRSSE 
PAR ies etapes de : 

fournisors de iadite deuKieme pariie (T) de Iadite 
deuxiafTis vaiey r de cie (cie 2) k iadite troisieme 
fonction aieatoire (g) afin de produire iadite troi- 
sieme vaiesjr : et 

generation de iadite premiere vaieur interme- 
diaira ^R) en soumsttant una pretriiere partie (V) 
de Iadite deuxieme vaieur ds cie {c\§ 2) a urs ou 
exciusif (260) avec iadite troisierns vaieur. 

S. Procede seion ia revendication 7, CARACTERiSE 
©n ootre PAR : 

i'utiiisaticn de Iadite deuxieme Sonction aieatoire 
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(h) afin de giiiersf iadite deuxiSrrse vaieur & par- 
tirde iadite premifere vaieur intermfidiaireCR) : et 
ia production d' au rTsosns un e partie de iadite pre- 
miere cie en soumettant iadite deuxieme vaieur 
5 a un oy e.xciusif (280) avec iadite deiixi^me par- 

tie (T) de iadrte deuxisme vaieur de cie (cle 2}. 

S. Systems de conversion de cies pour convertsr urss 
premiere vaisur de cie (cle 1) d'lin premier systerrse 
de comi^unlcations en uns deuxieme vaieur de cle 
{cle 2) d'un deuxieme systeme de communications, 
Isdit systeme Stant CARACTSR^Sg PAR ; 

des circuits de traitsment adapt^s pourgenerer 
'■■5 une premiere vaieur irttermediaire (R) a partir 

d'au fpoins une partie de iadite premiere vaieur 
de cie (cie 1 ) au moysn d'une premiere fonction 
aieatoire (f) afin d:e foumir au moins une partie 
de iadite premiere vaieur intermediaire (R) a une 
i^' deuxieme fonction aieatoii-e {n) afin de produire 

une deuxieme vateur. axecuter un ou exciusiS 
(220) sur au moins une partie de iadite premiere 
vaieur de cie (cle 1 } st au moins une partie de 
Iadite d9u:<ierri8 vaieur afin de generer une 
deuxieme vaieur intermedfaire (T), foumir au 
moins une partie de Iadite deuxieme vaisur in- 
termediaire (T) a uns troisieme vaieur aieatoire 
(g) afin de produire une troisieme vaisur et pro- 
duire au moins une premiere partis de iadite 
30 deuxieme vaietjr de cie (cle 2) en soumettant au 

nfjoins une partie de Iadite troisieme vaieur a ijn 
ou exciusif (240) avec au moins une partis de 
iadite premiere vaieur interrnediaire (Rf. 

10. Systeme seior! ia rsvendicatton 9, CARACTERSSE 
EN C£ QUE issdits circuits de traitement sont con- 
figures pour produire au moins une partie de iadite 
deuKieme vaieur interrnediaire (T) en tant qu'au 
moins une deuxieme partie de Iadite deuxieme va- 
''o ieur de cie (cie 2). 



PstfjriSasssprs'icc.hsj 

1 , Verfaiiren xum Umwandein eines ersten Scfriussei- 
vvertes (Sc.hlOssel 1 ) fur ein srstes Kommunii*;ations- 
system in einert sweiten SchiOsseiwert(Schiussel 2) 
eines zweiten Teiei«ommunii!ationssystems, ga- 
ksnftzefehif^sS d«rch foigende Sciiritte: 

Erseugan sines erstsn Zwischenwertes (R) aus 
mindastsns etnem Tsil dss ersten Schiusssi- 
werfes (.Sctsiussel 1 ) unter Verwendung siner er- 
sten Zufailsfunktion (f): 

Bereitstellen mindestsns eine.s Teiis des ersten 
ZwischenwerSes (R) fur eine sweite Zufailsfunk- 
tion (b) 7.um Erzetjgen eines zweiten Wertes; 
Ourcbfiihren eirssr Eskiusiven-Otier-Funldion 
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(220) an mindestsns einem TelS cSes arstert 
Schlijsselwertes (Schiyssei 1) und mmdessens 
einem des zweiten Wertes zum Erzeugen 
sines zwesten Zwisciienwertes (T); 
Bereststeiten n-sindestens eines Te)is dss zwei- 
ten Zwfschenwerjss (T) ttir eine dntte Zufaiis- 
funktfors <g) zum Erseugen einestSmten Weites; 
und 

Erzeugsn msndestens efnes ersten Teste des 
2weiten SchiOsssiwertes (Schlussei 2) dyreh 
Durchtuhren stner Exkiustven-Oder-Funktton 
iZ4Q) an minaeasnsetnem leitdesdntjen Wer- 
tes und rsiincsestens sinem Teii des srsten Zwi- 
schenwerses (R). 

g, Vertahren r>acn Anspruch 1, gekennsgiel^rset 
(SufCft Erzeugen msndestens eines Teiis des zwsitsn 
Zwischsnwsftes fll a!s mindestsns sin zweitef Tail 
des zweiten SchlLisseiwertes (Schiussel 2). 

3, Verfahren nach. Arssprych 1, dacJurcfs gskenrs- 
ssichnsf, <3a0 das Erzeygen toigenden Scridti um- 
faBt 

Bereitsteiien aes ersten Schlusseivvedes 
f;Schkissei 1 } vors m Bit zu eirisr ersten Zufaits- 
funktion {f) zum Erzeugen des ersten Zwiscften- 
vvertes iR) von n-m Bit. 

4, Verfanren nach Anspruch 3, dssdyrsih geks«ri- 
zeffihrsas, die ersten Scbntte des Bersitsseliens 
und Dijfchtuhrens foigendes umtassen; 

SereiSsfellen des ersien n-m-Bif-Zwischenwer- 
t8s (R} fur sine zweits ZufaSisfiinktion (h) aim 
Erzeugen eines zwsitan m- Bit- Wertes; una 
Oiirohfuhren einer Exkiusiven-Oder-Funktion 
(220) an dem ersten m-Bit-Schlusselwert 
(SchlusseS 1) und zweiteri m-Sit-VVert zum Er- 
zeugen des zweiten Zwischenwertes (T) rnit m 
Bit." 

Veffahren nach .Anspruch 4, cSatciurein gskenrs- 
zsicshnet, da8 dsr zwatte Schrits dss SerisitstsSlens 
ufid der SchriSt des Erzeugens foigandss iimfaBt: 

Bereitsteiien des zweiten m-Bit-Zwischenwer- 
tes (T) fOr sine drifts Zufaiisfunktion (G) ziifn Er- 
zeugen eines dritten n-m-Bit-Werfes: imd 
Dijrchfuhren einer Exkiusiven-Oder-Funktion 
(240) an dam driltsn n-fTi-Bit-VVeft und dern er- 
sten n-m-Bit-Zwiscfieriwert (R) zum Erzeugen 
eines srsten n-m-Bit-Teiis (Vj des zweiten 
SchlOsseSwsrtfiS (Schlussei: 2). 

6. Vertahren nach Anspruci"! 5, g«tefsrss®rehfs®t 
dwirch BereitsteSien des zweiten rn-8it-Zwischen- 
wertes (T) ate ein sweitsr m-Bit-Tei! dss zwsiten 



Sch^Osselweftes (Schiifesei 2) ri^it n Bit. 

7, Verfahren nach Anspruci^ 2. qiskmm'Sishn&l 
dsjrol5 toigsfide Scnritie: 

5 

Bereitsteiien des zweiten Teils il) des zweisen 
SchiQsselweftes (Sciitossei 2^ fur die driite Zu- 
fallsfonktion {g) zum Erzeugen aes dntten Wer- 
tes; und 

>o Erzeugen des erssen Zwischenweries (R) 

dufsh Untarziahen das ersten Teiis (V) des 
men&o Schlusseiwedes {SohSussel 25 einer Kx- 
kSusiven-Oder-Funktion (260) irnt dem dritten 
Wert. 

S. Verfahren nach Anspruch 7, vveiterhin gekenri- 
2eie8^?>et diireh 

Verwenden der zweiten Zufadsfunktwn (h) zum Er- 
zeugen des zweiten Wertes aus dem ersten Zwi- 
so schenwert (R): und 

Erzeugen mindestens eines Teiis des ersten Sch lus- 
sels cfisreh Unisraehen des zweiten Weries einer 
Ejfkiusivan-Oder-Funktion (280) mit dem zweiten 
Teii (T) des zweiten Schiiisseiwertes {Schlussei 2). 

25 

9. Schiijsseluniwandlungssystem zum Umwandein ei- 
nes ersten Schiilisselwertes (Schiussei 1 ) tur ein er- 
stes Kommunikationssystem in einen zweiten 
Schiusseivveri (SchiOsse! 2) eines zweiten Korr^mu- 
•-''0 niKationssystems, gsk«fifi2,«schnet sSurch foigen- 
des: 

Bearbeitungsschaitungen zum Erzeugen esoes 
srsten Zwisciienwertes (R) aus mindestens ei- 

35 nem Teii des erstsn SchlOsseiwertss (Schitissel 

1 ) unter Verwendung einer ersten Zufaiisfunkti- 
on (t) zur Bereitstsiiung mindestens eines Teiis 
des ersten Zwischenwerles (R) fur eine zweite 
Zufaiisfunktion (h) zum Erzeugen eines zweiten 

'>o Wertes, zun-i DurchftJhren einer Exklusi- 

veo-Oder- Funksion (220) an mindestens einem 
Teii das ersten Schiiisseiwertes (Schiusssl 1 ) 
und mindestens einem Teii des zweiten Wertes 
zum Erzeugen eines zweiten Zwisohsnwsrtes 

*5 (T), 2urT! Sereitslellen mindestens eirtes Teiis 

des zweiten Zwischenwertes (T) fur eine dritte 
Zufaiisfunktion {g) zunt Erzeugen eines driven 
Wertes und zum Erzeugen mindesterts eines er- 
sten feiis des zweiter^ Schiiisseiwertss (Schius- 

so se! 2) dwrch Unterziehen mindestens eines 

Teiis dss dritten Wertes einer Exkiusi- 
ven-Oder-Funktion (240) mit rrsindestens einem 
Teii des ersten Zwisch en wertes (B). 

ss \Q. System nach Anspruch 9, dsdisreh geKennzfgict^" 
fsst, daSdfe VsrarbeitungsschaiSungen zum Erzeu- 
gen mindestens eines Teiis des zweiten Zwisctten- 
wsrtss (T) ass mindestens ein zwsiter Teii des zwei- 
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ten SchKisseJwertas (Schiussel 2) konltguriert sind. 
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